法律文書、合同樣本庫 5.10破解手記--演算法分析
法律文書、合同樣本庫 5.10破解手記--演算法分析
作者:newlaos[CCG][DFCG]
軟體名稱:法律文書、合同樣本庫
5.10(行業軟體)
整理日期:2003.4.23
最新版本:5.10
檔案大小:3780KB
軟體授權:共享軟體
使用平臺:Win9x/Me/NT/2000/XP
釋出公司:"http://www.votolink.com/"
軟體簡介:萬通聯合一貫專注於法律諮詢、商務諮詢。在我們多年為客戶服務的過程中,積累了大量的法律文書樣本、標準合同樣本和相關法律資訊。我們把這些資訊製作成了專業的資訊軟體,以共享軟體的形式向廣大使用者提供。軟體的內容主要包括:法律格式文書庫、公司常用文書庫
、行業合同樣板庫 、版權與著作權類 、律師辦案寶典 等。
加密方式:ASPACK2.1+註冊碼
功能限制:功能限制
PJ工具:TRW20001.23註冊版,W32Dasm8.93黃金版,FI2.5,OLLYDBG1.09B中文版,PE-scan3.31
PJ日期:2003-04-27
作者newlaos申明:只是學習,請不用於商業用途或是將本文方法制作的序號產生器任意傳播,造成後果,本人一概不負。
注:筆者認為用eBook
Edit Pro做軟體,真的不保險! 即使是用它最強功能10位機器碼+金鑰,只要知道它的金鑰(這個金鑰竟然在程式執行中,以明文的形式出現),就可以用eBook
Edit Pro自帶的KeyMaker.exe,求得真正的註冊碼了。本文對演算法的分析,也就等效於對KeyMaker.exe的加密分析。
1、用FI2.5查殼,發現加了ASPACK2.1的殼,用TRW2000進行手動脫殼,也可以用PE-scan3.31脫殼! 生成UNPACK.exe檔案。
2、用W32Dasm黃金修正版本進行靜態反彙編,找不到任何有用的資訊,只了用TRW2000的萬能斷點大法了。
3、動態跟蹤除錯。請出國寶TRW2000,下斷點BPX hmemcpy。輸入假碼78787878,點確定被斷下來,F12和F10來到下列程式碼段
.......
.......
:004786C0
50 push
eax
:004786C1 8D55F8
lea edx, dword ptr [ebp-08]
:004786C4 8BC3
mov eax, ebx
:004786C6 8B08
mov ecx, dword ptr
[eax]
:004786C8 FF91E4000000 call
dword ptr [ecx+000000E4]
:004786CE 8B45F8
mov eax, dword ptr [ebp-08] <===EAX=3754256370(機器碼)
:004786D1
8B8BF8020000 mov ecx, dword ptr [ebx+000002F8]
<===ECX=lawtxt163424(這裡竟然用明碼形式顯示金鑰,就破解角度而言就太簡單了:-)
:004786D7 5A
pop edx <===EDX=78787878(假碼)
:004786D8
E81FF7FFFF call 00477DFC <===不用問關鍵的CALL,F8跟進(其實到這裡,已經可以利用eBook
Edit Pro自帶的KeyMaker.exe,求得真正的註冊碼了,即填入機器碼,再填入金鑰,最後點生成,就出來真正的註冊碼了)----得出結論用eBook
Edit Pro做的程式並不保險呀!在OLLYDBG裡金鑰竟然也可以在記憶體椎棧中找到!
:004786DD 8BD8
mov ebx, eax
:004786DF 33C0
xor eax,
eax
:004786E1 5A
pop edx
:004786E2 59
pop ecx
:004786E3 59
pop ecx
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00478675(C)
|
:004786E4
648910 mov dword
ptr fs:[eax], edx
:004786E7 6801874700
push 00478701
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004786FF(U)
|
:004786EC
8D45F8 lea eax,
dword ptr [ebp-08]
:004786EF BA02000000
mov edx, 00000002
:004786F4 E8CFB4F8FF
call 00403BC8
:004786F9 C3
ret
---------004786D8
call 00477DFC 關鍵的CALL,F8跟進-------------
:00477DFC 55
push ebp
:00477DFD 8BEC
mov ebp, esp
:00477DFF
81C4FCFEFFFF add esp, FFFFFEFC
:00477E05
53 push
ebx
:00477E06 56
push esi
:00477E07 57
push edi
:00477E08 33DB
xor ebx, ebx
:00477E0A 895DFC
mov dword ptr [ebp-04],
ebx
:00477E0D 8BF9
mov edi, ecx
:00477E0F 8BF2
mov esi, edx
:00477E11 8BD8
mov ebx, eax
:00477E13
33C0 xor
eax, eax
:00477E15 55
push ebp
:00477E16 68637E4700
push 00477E63
:00477E1B 64FF30
push dword ptr fs:[eax]
:00477E1E 648920
mov dword ptr fs:[eax],
esp
:00477E21 8D8DFCFEFFFF lea ecx,
dword ptr [ebp+FFFFFEFC]
:00477E27 8BD7
mov edx, edi <===EDX=lawtxt163424(作者定的金鑰)
:00477E29
8BC3 mov
eax, ebx <===EAX=3754256370(機器碼)
:00477E2B E864FEFFFF
call 00477C94 <===關鍵演算法CALL,F8跟進
:00477E30 8D95FCFEFFFF
lea edx, dword ptr [ebp+FFFFFEFC]
:00477E36
8D45FC lea eax,
dword ptr [ebp-04]
:00477E39 E88ABFF8FF
call 00403DC8
:00477E3E 8B45FC
mov eax, dword ptr [ebp-04] <===真註冊碼Sey0kJw6CBL6
:00477E41
8BD6 mov
edx, esi <===假碼78787878
:00477E43 E8ECC0F8FF
call 00403F34
:00477E48 0F94C0
sete al
:00477E4B 8BD8
mov ebx, eax
:00477E4D
33C0 xor
eax, eax
:00477E4F 5A
pop edx
:00477E50 59
pop ecx
:00477E51 59
pop ecx
:00477E52
648910 mov dword
ptr fs:[eax], edx
:00477E55 686A7E4700
push 00477E6A
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477E68(U)
|
:00477E5A
8D45FC lea eax,
dword ptr [ebp-04]
:00477E5D E842BDF8FF
call 00403BA4
:00477E62 C3
ret
--------00477E2B
call 00477C94 演算法CALL,F8跟進--------------
:00477C94 55
push ebp
:00477C95 8BEC
mov ebp, esp
:00477C97
83C4E0 add esp,
FFFFFFE0
:00477C9A 53
push ebx
:00477C9B 56
push esi
:00477C9C 57
push edi
:00477C9D
33DB xor
ebx, ebx
:00477C9F 895DE0
mov dword ptr [ebp-20], ebx
:00477CA2 895DE4
mov dword ptr [ebp-1C], ebx
:00477CA5
895DE8 mov dword
ptr [ebp-18], ebx
:00477CA8 8BF9
mov edi, ecx
:00477CAA 8955F8
mov dword ptr [ebp-08], edx
:00477CAD
8945FC mov dword
ptr [ebp-04], eax
:00477CB0 8B45FC
mov eax, dword ptr [ebp-04] <===EAX=3754256370(機器碼)
:00477CB3
E820C3F8FF call 00403FD8
:00477CB8
8B45F8 mov eax,
dword ptr [ebp-08] <===EAX=lawtxt163424(作者定的金鑰)
:00477CBB E818C3F8FF
call 00403FD8
:00477CC0 33C0
xor eax, eax
:00477CC2
55 push
ebp
:00477CC3 68ED7D4700 push
00477DED
:00477CC8 64FF30
push dword ptr fs:[eax]
:00477CCB 648920
mov dword ptr fs:[eax], esp
:00477CCE
837DFC00 cmp dword ptr
[ebp-04], 00000000 <===[ebp-04]為機器碼不會跳
:00477CD2 746F
je 00477D43
:00477CD4 BB01000000
mov ebx, 00000001 <===計數器EBX初始化為1
:00477CD9
8D75EF lea esi,
dword ptr [ebp-11]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477D09(C)
|
:00477CDC
8B45FC mov eax,
dword ptr [ebp-04] <===EAX=3754256370(機器碼)
:00477CDF E840C1F8FF
call 00403E24 <===計算出機器碼的長度(EAX=A)
:00477CE4
50 push
eax <===壓入A
:00477CE5 8BC3
mov eax, ebx <===EBX為計數器(依次為1,2,3,4,5,6,7,8,9)
:00477CE7
48 dec
eax <===EAX依次為0,1,2,3,4,5,6,7,8
:00477CE8 5A
pop edx <===EDX=A
(定值)
:00477CE9 8BCA
mov ecx, edx
:00477CEB 99
cdq
:00477CEC F7F9
idiv ecx <===這裡EAX始終為0,而EDX依次為012345678
:00477CEE
8B45FC mov eax,
dword ptr [ebp-04] <===EAX=3754256370(機器碼)
:00477CF1 8A0410
mov al, byte ptr [eax+edx] <===依次將機器碼每個字元的ASC值,放入AL
:00477CF4
50 push
eax
:00477CF5 8B45FC
mov eax, dword ptr [ebp-04] <===EAX=3754256370(機器碼)
:00477CF8 E827C1F8FF
call 00403E24 <===計算出機器碼的長度(EAX=A)
:00477CFD
5A pop
edx <===取出每個字元的ASC值
:00477CFE 32D0
xor dl, al
:00477D00 32D3
xor dl, bl
DL= A XOR 33=39 XOR 1=38
DL= A XOR 37=3D XOR 2=3F
DL= A XOR 35=3F XOR 3=3C
DL= A XOR 34=3E XOR 4=3A
DL= A XOR 32=38 XOR 5=3D
DL= A XOR 35=3F XOR 6=39
DL= A XOR 36=3C XOR 7=3B
DL= A XOR 33=39 XOR 8=31
DL= A XOR 37=3D XOR 9=34
:00477D02 8816
mov byte
ptr [esi], dl <===第一遍處理的值依次放入ESI的位置裡
:00477D04 43
inc ebx <===EBX=EBX+1
:00477D05
46 inc
esi
:00477D06 83FB0A
cmp ebx, 0000000A <===說明此處迴圈9次,正好處理機器碼的前9位
:00477D09 75D1
jne 00477CDC
<===向上跳成迴圈結構,對機器碼進行第一遍變形處理
:00477D0B 8B45FC
mov eax, dword ptr [ebp-04] <===EAX=3754256370(機器碼)
:00477D0E
E811C1F8FF call 00403E24 <===計算出機器碼的長度(EAX=A)
:00477D13
8BF0 mov
esi, eax <===ESI=A
:00477D15 85F6
test esi, esi
:00477D17 7E2A
jle 00477D43 <===當然不跳了
:00477D19
BB01000000 mov ebx, 00000001 <===計數器EBX再次初始化為1
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477D41(C)
|
:00477D1E
8B45FC mov eax,
dword ptr [ebp-04] <===EAX=3754256370(機器碼)
:00477D21 E8FEC0F8FF
call 00403E24 <===計算出機器碼的長度(EAX=A)
:00477D26
2BC3 sub
eax, ebx <===EAX=EAX-EBX(依次為9876543210)
:00477D28 8B55FC
mov edx, dword ptr [ebp-04]
<===EDX=3754256370(機器碼)
:00477D2B 8A0C02
mov cl, byte ptr [edx+eax] <===反向順序依次取機器碼的ASC值
:00477D2E
8BC3 mov
eax, ebx <===EAX依次為123456789A
:00477D30 48
dec eax
<===EAX依次為0123456789
:00477D31 51
push ecx <===ASC值壓入棧
:00477D32
B909000000 mov ecx, 00000009 <===ECX=9
:00477D37
99 cdq
:00477D38
F7F9 idiv
ecx <===EAX前9次始終為0,最後一次為1,EDX依次為0123456780
:00477D3A 59
pop ecx <===ECX為依次取出的ASC值
:00477D3B
304C15EF xor byte ptr [ebp+edx-11],
cl <===依次與上個迴圈出來的值做異或運算
38 xor 30=08 XOR 33 =3B <===由於是10次,所以又迴圈上來做異或運算,
3F xor 37=08
3C xor 33=0F
3A xor 36=0C
3D xor
35=08
39 xor 32=0B
3B xor 34=0F
31 xor 35=04
34 xor 37=03
:00477D3F 43
inc ebx
:00477D40 4E
dec esi <===此次迴圈,卻是由ESI說了算,所以迴圈了10次,即機器碼的長度次
:00477D41
75DB jne
00477D1E <===向上跳構成迴圈結構,對機器碼進行第二次變形,反向順序
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00477CD2(C),
:00477D17(C)
|
:00477D43 837DF800
cmp dword ptr [ebp-08], 00000000 <===[ebp-08]=lawtxt163424(作者定的金鑰)
:00477D47
7439 je 00477D82
<===當然不跳了
:00477D49 BB01000000
mov ebx, 00000001 <===計數器初始化為1
:00477D4E 8D75EF
lea esi, dword ptr [ebp-11]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477D80(C)
|
:00477D51
8B45F8 mov eax,
dword ptr [ebp-08] <===EAX=lawtxt163424
:00477D54 E8CBC0F8FF
call 00403E24 <===計算出金鑰的長度EAX=C
:00477D59
50 push
eax <===將長度C壓入棧
:00477D5A 8BC3
mov eax, ebx <===EAX依次為123456789
:00477D5C
48 dec
eax <===EAX依次為012345678
:00477D5D 5A
pop edx <===EDX=C
:00477D5E
8BCA mov
ecx, edx <===ECX=C
:00477D60 99
cdq
:00477D61 F7F9
idiv ecx <===EAX始終為0,EDX依次為012345678
:00477D63
8B45F8 mov eax,
dword ptr [ebp-08] <===EAX=lawtxt163424
:00477D66 8A0410
mov al, byte ptr [eax+edx] <===依次取出金鑰前9個字元的ASC值
:00477D69
3206 xor
al, byte ptr [esi]
AL=3B XOR 6C=57
AL=08
XOR 61=69
AL=0F XOR 77=78
AL=0C XOR 74=78
AL=08 XOR 78=70
AL=0B XOR 74=7F
AL=0F XOR 31=3E
AL=04
XOR 36=32
AL=03 XOR 33=30
:00477D6B
50 push
eax
:00477D6C 8B45F8
mov eax, dword ptr [ebp-08]<===EAX=lawtxt163424
:00477D6F E8B0C0F8FF
call 00403E24 <===計算出金鑰的長度EAX=C
:00477D74
5A pop
edx <===EDX依為上面計算出的值
:00477D75 32D0
xor dl, al <===
:00477D77 32D3
xor dl, bl
DL= C XOR 57=39 XOR 1=5A (ASC="Z")
DL= C XOR 69=3D XOR 2=67 (ASC="g")
DL= C XOR 78=3F XOR 3=77 (ASC="w")
DL= C XOR 78=3E XOR 4=70 (ASC="p")
DL= C XOR 70=38 XOR 5=79 (ASC="y")
DL= C XOR 7F=3F XOR 6=75 (ASC="u")
DL= C XOR 3E=3C XOR 7=35 (ASC="5")
DL= C XOR 32=39 XOR 8=36 (ASC="6")
DL= C XOR 30=3D XOR 9=35 (ASC="5")
:00477D79
8816 mov
byte ptr [esi], dl
:00477D7B 43
inc ebx
:00477D7C 46
inc esi
:00477D7D 83FB0A
cmp ebx, 0000000A <===哈哈,又是隻迴圈9次
:00477D80
75CF jne
00477D51 <===向上跳構成迴圈結構
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477D47(C)
|
:00477D82
8D45E8 lea eax,
dword ptr [ebp-18]
:00477D85 E81ABEF8FF
call 00403BA4
:00477D8A BB09000000
mov ebx, 00000009
:00477D8F 8D75EF
lea esi, dword ptr [ebp-11]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477DA9(C)
|
:00477D92
8D45E4 lea eax,
dword ptr [ebp-1C]
:00477D95 8A16
mov dl, byte ptr [esi] <===依次取出Zgwpyu565的ASC值
:00477D97
E8B0BFF8FF call 00403D4C
:00477D9C 8B55E4
mov edx, dword ptr [ebp-1C]
:00477D9F 8D45E8
lea eax, dword ptr [ebp-18]
:00477DA2
E885C0F8FF call 00403E2C
:00477DA7
46 inc
esi
:00477DA8 4B
dec ebx
:00477DA9 75E7
jne 00477D92 <===向上跳構成迴圈結構
:00477DAB 8D55E0
lea edx, dword ptr [ebp-20]
:00477DAE
8B45E8 mov eax,
dword ptr [ebp-18] <===EAX=Zgwpyu565
:00477DB1 E89AFDFFFF
call 00477B50 <===最後的關鍵CALL,F8跟進
:00477DB6
8B55E0 mov edx,
dword ptr [ebp-20] <===EDX=Sey0kJw6CBL6
:00477DB9 8BC7
mov eax, edi
:00477DBB B9FF000000
mov ecx, 000000FF
:00477DC0
E83BC0F8FF call 00403E00
:00477DC5
33C0 xor
eax, eax
:00477DC7 5A
pop edx
:00477DC8 59
pop ecx
:00477DC9 59
pop ecx
:00477DCA
648910 mov dword
ptr fs:[eax], edx
:00477DCD 68F47D4700
push 00477DF4
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477DF2(U)
|
:00477DD2
8D45E0 lea eax,
dword ptr [ebp-20]
:00477DD5 BA03000000
mov edx, 00000003
:00477DDA E8E9BDF8FF
call 00403BC8
:00477DDF 8D45F8
lea eax, dword ptr [ebp-08]
:00477DE2 BA02000000
mov edx, 00000002
:00477DE7
E8DCBDF8FF call 00403BC8
:00477DEC
C3 ret
:00477DED
E92EB8F8FF jmp 00403620
:00477DF2
EBDE jmp
00477DD2
:00477DF4 5F
pop edi
:00477DF5 5E
pop esi
:00477DF6 5B
pop ebx
:00477DF7
8BE5 mov
esp, ebp
:00477DF9 5D
pop ebp
:00477DFA C3
ret
------:00477DB1
call 00477B50 最後的關鍵CALL,F8跟進----------------
:00477B50 55
push ebp
:00477B51
8BEC mov
ebp, esp
:00477B53 83C4F0
add esp, FFFFFFF0
:00477B56 53
push ebx
:00477B57 56
push esi
:00477B58
57 push
edi
:00477B59 33C9
xor ecx, ecx
:00477B5B 894DF0
mov dword ptr [ebp-10], ecx
:00477B5E 8BFA
mov edi, edx
:00477B60
8945FC mov dword
ptr [ebp-04], eax
:00477B63 8B45FC
mov eax, dword ptr [ebp-04]
:00477B66 E86DC4F8FF
call 00403FD8
:00477B6B 33C0
xor eax, eax
:00477B6D
55 push
ebp
:00477B6E 68847C4700 push
00477C84
:00477B73 64FF30
push dword ptr fs:[eax]
:00477B76 648920
mov dword ptr fs:[eax], esp
:00477B79
8BC7 mov
eax, edi
:00477B7B E824C0F8FF call
00403BA4
:00477B80 E9D7000000 jmp
00477C5C <===我跳
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477C60(C)
| *********************從下跳上來,開始迴圈**********************
:00477B85
8B45FC mov eax,
dword ptr [ebp-04] <===EAX依次為Zgwpyu565,pyu565,565(每次用三位)
:00477B88 E897C2F8FF
call 00403E24 <===求出長度9,6,3
:00477B8D
8BC8 mov
ecx, eax <===ECX=9,6,3
:00477B8F 8BC1
mov eax, ecx
:00477B91 BB03000000
mov ebx, 00000003
:00477B96
99 cdq
:00477B97
F7FB idiv
ebx <===EAX=3,2,1 EDX=0
:00477B99 85C0
test eax, eax
:00477B9B
7E07 jle
00477BA4 <===如果商為0,就跳走
:00477B9D BB03000000
mov ebx, 00000003
:00477BA2 EB02
jmp 00477BA6 <===我跳
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477B9B(C)
|
:00477BA4
8BD9 mov
ebx, ecx <===如果商為0,則EBX就為長度
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477BA2(U)
|
:00477BA6
8D45F9 lea eax,
dword ptr [ebp-07] <===跳到這裡
:00477BA9 33C9
xor ecx, ecx <===ECX=0
:00477BAB
BA03000000 mov edx, 00000003 <===edx=3
:00477BB0
E8B3AFF8FF call 00402B68 <===在[ebp-07]的記憶體位置上布在上3個0
:00477BB5
8D45F5 lea eax,
dword ptr [ebp-0B]
:00477BB8 B940000000
mov ecx, 00000040
:00477BBD BA04000000
mov edx, 00000004
:00477BC2 E8A1AFF8FF
call 00402B68 <===在[ebp-0B]的記憶體位置上布在上4個40
:00477BC7
8D45FC lea eax,
dword ptr [ebp-04]
:00477BCA E825C4F8FF
call 00403FF4 <===EAX=Zgwpyu565
:00477BCF 8D55F9
lea edx, dword ptr [ebp-07]
:00477BD2
8BCB mov
ecx, ebx <===ECX=3
:00477BD4 E8B7ACF8FF
call 00402890 <===在[ebp-07]的記憶體位置上依次放上Zgw, pyu, 565
:00477BD9
83FB03 cmp ebx,
00000003
:00477BDC 7C08
jl 00477BE6
:00477BDE 8A45FB
mov al, byte ptr [ebp-05] <===將字串的最後一個字元取出(例:"w","u","5")
:00477BE1
243F and
al, 3F
第一次大迴圈(w) AL=77
AND 3F =37
第二次大迴圈(u) AL=75 AND 3F
=35
第三次大迴圈(5) AL=35 AND 3F =35
:00477BE3
8845F8 mov byte
ptr [ebp-08], al <===關鍵位置1
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477BDC(C)
|
:00477BE6
83FB02 cmp ebx,
00000002
:00477BE9 7C15
jl 00477C00
:00477BEB 8A45FA
mov al, byte ptr [ebp-06] <===將字串的倒數第二個字元取出(例:"g","y","6")
:00477BEE
C1E002 shl eax,
02
:00477BF1 33D2
xor edx, edx
第一次大迴圈(g) AL=67
shl 02 =9C
第二次大迴圈(y) AL=79 shl 02
=E4
第三次大迴圈(6) AL=36 shl 02 =D8
:00477BF3 8A55FB mov
dl, byte ptr [ebp-05] <===將字串的倒數第一個字元取出(例:"w","u","5")
:00477BF6
C1EA06 shr edx,
06
第一次大迴圈(w) DL=77 shr 06 =01
第二次大迴圈(u) DL=75 shr 06 =01
第三次大迴圈(5) DL=35 shr 06 =00
:00477BF9 0AC2
or al, dl
:00477BFB
243F and
al, 3F
第一次大迴圈 AL=9C OR 01 =9D AND
3F =1D
第二次大迴圈 AL=E4 OR 01 =E5 AND
3F =25
第三次大迴圈 AL=D8 OR 00 =D8 AND
3F =18
:00477BFD 8845F7
mov byte ptr [ebp-09],
al <===關鍵位置2
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00477BE9(C)
|
:00477C00 8A45F9
mov al, byte ptr [ebp-07] <===將字串的第一個字元取出(例:"Z","p","5")
:00477C03
8BD0 mov
edx, eax
:00477C05 C1E204
shl edx, 04
第一次大迴圈(Z)
DL=5A shl 04 =A0
第二次大迴圈(p) DL=70
shl 04 =00
第三次大迴圈(5) DL=35 shl 04
=50
:00477C08 33C9
xor ecx, ecx
:00477C0A 8A4DFA
mov cl, byte ptr [ebp-06] <===將字串的倒數第二個字元取出(例:"g","y","6")
:00477C0D
C1E904 shr ecx,
04
第一次大迴圈(g) CL=67 shr 04 =6
第二次大迴圈(y) CL=79 shr 04 =7
第三次大迴圈(6) CL=36 shr 04 =3
:00477C10 0AD1
or dl, cl
:00477C12
80E23F and dl, 3F
第一次大迴圈 DL=A0 OR 6 =A6 AND
3F=26
第二次大迴圈 DL=00 OR
7 =07 AND 3F=07
第三次大迴圈 DL=50
OR 3 =53 AND 3F=13
:00477C15 8855F6
mov byte ptr [ebp-0A], dl <===關鍵位置3
:00477C18
25FF000000 and eax, 000000FF
:00477C1D
C1E802 shr eax,
02
:00477C20 243F
and al, 3F
第一次大迴圈(Z) AL=5A
shr 02 =16 AND 3F=16
第二次大迴圈(p) AL=70
shr 02 =1C AND 3F=1C
第三次大迴圈(5) AL=35
shr 02 =0D AND 3F=0D
:00477C22 8845F5
mov byte ptr [ebp-0B], al <===關鍵位置4
:00477C25
8D45FC lea eax,
dword ptr [ebp-04]
:00477C28 8BCB
mov ecx, ebx <===ECX=3
:00477C2A
BA01000000 mov edx, 00000001
<===EDX=1
:00477C2F E838C4F8FF
call 0040406C <===EAX依次為pyu565,565
:00477C34
BE04000000 mov esi, 00000004
<===ESI=4,計數器初始化為4(因為正好4個關鍵位置的值)
:00477C39 8D5DF5
lea ebx, dword ptr [ebp-0B]
第一次大迴圈四個關鍵位置的值 16 26 1D 37
第二次大迴圈四個關鍵位置的值
1C 07 25 35
第三次大迴圈四個關鍵位置的值 0D 13 28 35
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00477C5A(C)
|
:00477C3C
8D45F0 lea eax,
dword ptr [ebp-10]
:00477C3F 33D2
xor edx, edx
:00477C41 8A13
mov dl, byte ptr [ebx]
第一次大迴圈中,小迴圈裡DL的值依次為 16 26 1D 37
第二次大迴圈中,小迴圈裡DL的值依次為
1C 07 25 35
第三次大迴圈中,小迴圈裡DL的值依次為 0D 13 28 35
:00477C43
8A929DE44700 mov dl, byte ptr [edx+0047E49D]
<===根據EDX的不同在碼錶中取值
*****************碼錶如下(共65個值)*********************
0047E49D
49 59 41 47 50 58 44 4A IYAGPXDJ
0047E4A5 51 57 4D 48 56
43 4E 46 QWMHVCNF
0047E4AD 55 5A 52 42 4B 45 53 4F UZRBKESO
0047E4B5
4C 54 74 66 6B 79 73 62 LTtfkysb
0047E4BD 6F 68 6C 75 6A
77 65 63 ohlujwec
0047E4C5 70 6D 69 61 71 6E 64 78 pmiaqndx
0047E4CD
7A 76 67 72 34 36 2B 30 zvgr46+0
0047E4D5 32 35 37 33 2F
38 31 3D 2573/81=
0047E4DD 39
9
********************************************************
第一次大迴圈中,小迴圈裡DL的值依次提取的是 S e y 0
第二次大迴圈中,小迴圈裡DL的值依次提取的是 k J w 6
第三次大迴圈中,小迴圈裡DL的值依次提取的是
C B L 6
:00477C49 E8FEC0F8FF call
00403D4C
:00477C4E 8B55F0
mov edx, dword ptr [ebp-10]
:00477C51 8BC7
mov eax, edi
:00477C53 E8D4C1F8FF
call 00403E2C
:00477C58 43
inc
ebx
:00477C59 4E
dec esi
:00477C5A 75E0
jne 00477C3C <===此處向上跳,構成一個小迴圈,每次迴圈形成註冊碼的1個字元,每次大迴圈,此處迴圈4次,註冊碼也就出來了"Sey0kJw6CBL6"。
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477B80(U)
|
:00477C5C
837DFC00 cmp dword ptr
[ebp-04], 00000000 <===第一大跳到這裡
:00477C60 0F851FFFFFFF
jne 00477B85 <===因為[ebp-04]=Zgwpyu565,所以這裡又向上跳,開始大迴圈,每次迴圈形成註冊碼的四個字元,共迴圈三次
:00477C66
33C0 xor
eax, eax
:00477C68 5A
pop edx
:00477C69 59
pop ecx
:00477C6A 59
pop ecx
:00477C6B
648910 mov dword
ptr fs:[eax], edx
:00477C6E 688B7C4700
push 00477C8B
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477C89(U)
|
:00477C73
8D45F0 lea eax,
dword ptr [ebp-10]
:00477C76 E829BFF8FF
call 00403BA4
:00477C7B 8D45FC
lea eax, dword ptr [ebp-04]
:00477C7E E821BFF8FF
call 00403BA4
:00477C83 C3
ret
:00477C84
E997B9F8FF jmp 00403620
:00477C89
EBE8 jmp
00477C73
:00477C8B 5F
pop edi
:00477C8C 5E
pop esi
:00477C8D 5B
pop ebx
:00477C8E
8BE5 mov
esp, ebp
:00477C90 5D
pop ebp
:00477C91 C3
ret
-----------------------------------------------------------------------------------
4、演算法序號產生器原始碼:(等效於eBook
Edit Pro自帶的KeyMaker.exe的部分功能)
----VB6.0在WIN98下編譯透過----
Private
Sub Command1_Click()
softbiao
= "IYAGPXDJQWMHVCNFUZRBKESOLTtfkysbohlujwecpmiaqndxzvgr46+02573/81=9"
'為eBook Edit Pro內定的碼錶
setkey = "lawtxt163424" '此軟體作者定的金鑰
keylen
= Len(setkey)
A = Array(0, 0, 0, 0, 0, 0, 0, 0, 0) '定義的第一階段9位長度的變形
strin
= Text1.Text
nlen = Len(strin)
z = 1 '機器碼輸入正確標誌
If nlen <>
10 Then
z = 2
Else
For j = 0 To 8 '檢查輸入的機器是否都是數字,同時完成機器碼的第一次變形
ztmp = Asc(Mid(strin, j + 1, 1))
A(j) = ztmp Xor nlen Xor (j
+ 1)
If ztmp < 48 Or ztmp > 57 Then
z = 2
End If
Next j
j = 0
For i = 1 To nlen '對機器碼進行第二次變形
A(j) = A(j) Xor Asc(Mid(strin,
nlen + 1 - i, 1))
j = j + 1
If j = 9 Then
'這裡形成一個迴圈處理
j = 0
End If
Next i
For k = 0 To 8 '完成機器碼與金鑰的合成變形處理(只處理金鑰的前9位)
A(k) = (A(k) Xor Asc(Mid(setkey, k + 1, 1))) Xor keylen Xor (k + 1)
Next k
'到此完成第一階段的變形處理
For i = 0 To 8
k = (i Mod 3) + 1
Select Case k
Case 1
AL1 = Int(A(i) / 4) And &H3F '完成邏輯右移2位,並與3F做與運算
str1 = Mid(softbiao, AL1 + 1, 1)
Case 2
DL1 = CInt("&H" + Right(Hex(A(i - 1)) + "0",
2)) '完成邏輯左移4位
DL2 = CInt("&H" + Left(Hex(A(i)),
1)) '完成邏輯右移4位
AL2 =
(DL1 Or DL2) And &H3F
str2 = Mid(softbiao, AL2 + 1, 1)
DL3 = CInt("&H" + Right(Hex(A(i) * 4), 2))
'完成邏輯左移2位
lentmp = Len(Oct(A(i +
1)))
If lentmp <= 2 Then
dl4 = 0
Else
dl4 = CInt("&O"
+ Mid(Oct(A(i + 1)), 1, lentmp - 2)) '完成邏輯右移6位
End If
AL3 = (DL3 Or dl4) And &H3F
str3
= Mid(softbiao, AL3 + 1, 1)
Case 3
AL4 = A(i)
And &H3F
str4 = Mid(softbiao, AL4 + 1, 1)
laststr = laststr + str1 + str2 + str3 + str4
End Select
Next i
Text2.Text
= laststr
End If
If
z = 2 Then
h = MsgBox("你的輸入有誤,請檢查後重新輸入", 0, "你輸入的是10位的機器嗎?")
End
If
End Sub
5、註冊資訊儲存在登錄檔:(只是用eBook
Edit Pro加密的軟體,其註冊資訊都放在這個位置)
[HKEY_CURRENT_USER\Software\eBook Edit Pro\Login\18BD1A10]
"SD"=dword:00009368
"SO"=dword:00000009
"LoginUser"="3754256370"
"LoginPassword"="Sey0kJw6CBL6"
BTW:很多CRACKER都收到過律師信,被告知如何如何侵犯軟體作者的利益。現在倒好北京市一格律師事務所竟然非法使用工具軟體製作《法律文書、合同樣本庫
5.10》。一怒之下,特意製做成此序號產生器! 為所有CRACKER鳴不平。
相關文章
- HTMLock 1.9.3破解手記---演算法分析2003-06-27HTML演算法
- IEPopupKiller 1.2破解手記--演算法分析2015-11-15演算法
- QuickCD 1.0.320破解手記--演算法分析2015-11-15UI演算法
- GreenBrowser 1.0.312破解手記--演算法分析2015-11-15演算法
- Golden 5.7 Build 391破解手記--演算法分析2015-11-15GoUI演算法
- 拱豬大戰 1.8破解手記--演算法分析2015-11-15演算法
- Setup2Go 1.97破解手記--演算法分析2015-11-15Go演算法
- pcmedik V5.4.8.2003破解手記--演算法分析2003-05-10演算法
- 極速傳真[SpeedFax] 2.4 破解手記--程式逆向分析演算法2015-11-15演算法
- 《怎樣閱讀一本書》的筆記2017-09-19筆記
- Advanced MP3WMA Recorder 3.7.3破解手記--完美演算法分析2015-11-15演算法
- Iparmor 木馬克星 V5.40 Build 0414破解手記-演算法分析2015-11-15UI演算法
- 矩陣合同的本質2020-11-23矩陣
- MySQL Manager 2.8.0.1脫殼破解手記破解分析2004-11-03MySql
- 奇門遁甲演義V6.3破解手記--註冊碼演算法分析2015-11-15演算法
- 《我的第一本演算法書》筆記一2020-11-14演算法筆記
- 《演算法圖解》讀書筆記—像小說一樣有趣的演算法入門書2019-05-02演算法圖解筆記
- Python數模筆記-Sklearn(2)樣本聚類分析2021-05-10Python筆記聚類
- 幾本資料分析的書2016-05-25
- Bannershop 4.5破解手記2015-11-15
- 拱豬大戰 V2.3XP 演算法破解手記2015-11-15演算法
- 某EXCEL漏洞樣本shellcode分析2020-08-19Excel
- 《演算法帝國》——一本好書2014-06-07演算法
- Irfanview破解手記 (668字)2001-02-02View
- Raft論文讀書筆記2018-07-11Raft筆記
- 記帳本專案分析2010-03-11
- 這本書會是你在演算法分析道路上最好的養料2019-01-29演算法
- 資料結構與演算法分析 讀書筆記(樹)2017-04-16資料結構演算法筆記
- 惡意程式碼分析之行為分析及樣本收集2021-01-29
- 區域網資料庫快易通破解手記 (1千字)2001-02-02資料庫
- 合同管理系統建設建議書2007-06-20
- 你真的懂對抗樣本嗎?一文重新思考對抗樣本背後的含義2019-09-17
- 筆記.如何閱讀一本書2018-01-09筆記
- 對抗樣本學習筆記(一)2019-04-21筆記
- 華碩靈耀X筆記本評測 華碩靈耀X筆記本怎麼樣?2018-07-04筆記
- Download Boost 2002 Go 2.0漢化版演算法破解手記2015-11-15Go演算法
- OCR訓練中文樣本庫和識別2018-11-23
- hanami1005破解手記2003-08-19